- A notice of privacy practices (NPP) for PHI is a critical part of the HIPAA Privacy Rule that covered entities of all sizes need to understand. This piece of communication is also essential for the relationship between a health plan or provider and their patients.
Under the Privacy Rule, individuals have a right to know the details of their privacy rights. Moreover, they deserve to have a thorough understanding of how their PHI is going to be handled at a covered entity. It is also important for providers to make patients aware of their privacy rights and what they can do if they believe their privacy rights have been violated.
This week, HealthITSecurity.com will discuss the basics around NPPs, and how they play into an organization’s larger health data security plan. We will also discuss sample NPPs and what information HHS requires be included in the notices.
What are NPPs?
As mentioned above, the HIPAA Privacy Rule states that health plans and healthcare providers need to have a notice of privacy practices (NPP). This is information explaining to patients how their PHI is going to be used and disclosed at a particular organization, and specifically what their individual privacy rights are.
“The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information,” HHS explains on its website. “Most covered entities must develop and provide individuals with this notice of their privacy practices.”
However, not all covered entities are required to have NPPs. Correctional institutions that are covered entities, health care clearinghouses, and group health plans that provide benefits only through one or more contracts of insurance with health insurance issuers or HMOs do not fall under this requirement. It should also be noted that clearinghouses are exempt if the PHI they create or receive is from a different BA or CE, and that group health plans are also exempt if they do “not create or receive protected health information other than summary health information or enrollment or disenrollment information.”
HHS also stipulates that the entire notice must be clearly posted. A partial notice, or a summary will not suffice:
Covered health care providers that maintain an office or other physical site where they provide health care directly to individuals are required to post their entire notice at the facility in a clear and prominent location. The Privacy Rule, however, does not prescribe any specific format for the posted notice, just that it include the same information that is distributed directly to the individual. Covered health care providers have discretion to design the posted notice in a manner that works best for their facility, which may be to simply post a copy of the pages of the notice that is provided directly to individuals.
What needs to be included in the NPP?
Even though patients may not always be thrilled with the idea of reading through pages of paperwork at the doctor’s office, it is still critical that healthcare providers make that information readily available. Covered entities need to find ways of presenting policies to patients to ensure that patients absorb it and understand it.
HHS explains on its website that the NPP content must include the following information:
- How the covered entity may use and disclose protected health information about an individual.
- The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity.
- The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information.
- Whom individuals can contact for further information about the covered entity’s privacy policies.
Should a healthcare provider make changes to its NPP, it is not required under the Privacy Rule to mail said changes out to patients. However, if changes are made, then the notice needs to be made “available upon request to patients or other persons on or after the effective date of the revision.” Moreover, if a physical copy is maintained on site, then the provider needs to clearly post the notice.
It is important to note though that a health plan is required under the HIPAA Privacy Rule to remind enrollees of the availability of its NPP and how to obtain a copy. This should be done no less frequently than once every three years, according to HHS.
Health plans already may have satisfied the reminder requirement in a number of ways. For instance, a health plan may have adopted the practice of sending its Notice of Privacy Practices to subscribers and enrollees annually. Or, a health plan may have substantially amended its Notice of Privacy Practices recently, and thus, sent the revised Notice to its subscribers and enrollees as required by the Privacy Rule.
There are also three different types of notices that healthcare organizations can use when creating an NPP. They can use a booklet or a layered notice containing a summary of the information on the first page and full content on the following pages. Finally, organizations can use a notice with the design elements of the booklet, but that is formatted for full-page presentation or a text-only version available in Microsoft Word.
Regardless of the option that a healthcare organization chooses, it is required that it includes a section on patients’ rights, their choices in how their information is shared, and a section on how the organization will use and share information.
A comprehensive health data security plan includes current NPPs, as patients need to understand how their information will be used and potentially shared by their healthcare provider. Organizations should regularly check with HHS to ensure that any updates or changes are accounted for, and that they understand how to update patients on their policies and how they distribute and post that information at their facility.